Information About Ingress Policing

Policing allows you to monitor the data rates for a particular class of traffic. When the data rate exceeds user-configured values, the switch drops packets immediately. Because policing does not buffer the traffic; transmission delays are not affected. When traffic exceeds the data rate on a specific class, the switch drops the packets.

The committed information rate (CIR) is a value specified as a bit rate from 1 to 80000000000 or a percentage of the link rate.

In addition, Ingress Policing can monitor associated burst sizes of the packets. Two colors, or conditions, are determined by Ingress Policing for each packet depending on the data rate parameters that you supply.

You can configure only one action for each condition. For example, you might police for traffic in a class to conform to the data rate of 256000 bits per second with up to 200 millisecond bursts.

Color-aware Ingress Policing assumes that traffic has been previously marked with a color.

Table 1 Maximum Supported Hardware Configuration for Policers

Nexus 5500 Series

Nexus 2232

Nexus 2248TP-E

Nexus 6000 Series

Burst Size

64 MB

32 MB

32 MB

64 MB

Max Rate

96 Gbps

12 Gbps

8 Gbps

8 Gbps

Granularity

732 kbps

732 kbps

488 kbps

122 kbps

Guidelines and
Limitations for Ingress Policing

The configuration
for Ingress Policing is a part of the Quality of Service (QoS) policy
configuration. You can configure QoS policies with Ingress Policing on the
following :

Marking is not
supported in the Ingress Policing implementation on the Cisco Nexus 5500
platform. The only
conform action
is
allow and the
only
violate action
is
drop.

The Ingress
Policing configuration is supported on the Cisco Nexus 5500 platforms and all
Cisco Nexus 2000 platforms except for the Cisco Nexus 2148 switch.

Statistics are
provided with Ingress Policing. Statistics include the drop count and allowed
count. You can display the statistics by entering the
show policy-map interface
ethernet command.

QoS policies that
you configure on the attachments are installed in the QoS region of the Ternary
Content Addressable Memory (TCAM) and causes the switch to apply Ingress
Policing.

If you configure
a QoS policy with Ingress Policing on a HIF port or HIF port channel, Ingress
Policing is offloaded to the Fabric Extender (FEX). Policy rewrites occur only
in the switch. So QOS policy offload to FEX is required if there is any QOS
policy rewrites which affects policer.

All the match/set
criteria that are supported in a QoS policy are supported even with Ingress
Policing present in the policy. A Fabric Extender (FEX) supports Layer 3
operations (fragments) and Layer 4 operations (source and destination port
ranges) but not the Transmission Control Protocol (TCP) flags and Layer 2
operations.

You can define
match criteria for a QoS policy so that it matches the control protocol
traffic. If the type of policy is configured with Ingress Policing on an HIF
port, the control traffic also gets policed. Therefore, the match criteria must
be specific to the required flow of traffic.

The switch cannot
apply a QoS policy with Ingress Policing to an HIF port that has virtual
Ethernet interfaces attached.

If the switch
applies Ingress Policing on the HIF port, the policer is applied to traffic
with no Virtual Network Tag (VNTAG).

A policy with
Ingress Policing is allowed only on switch ports, HIF ports, and port channels
with switch/HIF ports.

Ingress Policing
with Layer 2 operations and TCP flags in the match criteria is not allowed on
FEX interfaces.

Ingress Policing
is not supported on Enhanced VPC (2LayerVPC) ports.

It is recommended
that you apply identical Ingress Policing on Dual-homed (AA) HIF interfaces.

The
police command
is not supported on system QoS policies.

The show policy-map interface command is recommended
to check that the ingress rate limiter is conformed and to display violated
statistics. The CLI displays conformed/violated packets and packet per second
statistics on HIF interfaces (regular as well as port-channel), whereas on the
switchport (regular as well as port-channel) the command displays
conformed/violated bytes and bits per second (bps).

Creating a Policy
Map Using a Committed Information Rate

Procedure

Command or Action

Purpose

Step 1

switch#
configure
terminal

Enters global
configuration mode.

Step 2

switch(config)#
policy-map [type qos] [qos-policy-map-name]

Creates a named
object that represents a set of policies that are applied to a set of traffic
classes. Policy-map names can contain alphabetic, hyphen, or underscore
characters, are case sensitive, and can be up to 40 characters.

Associates a
class map with the policy map and enters configuration mode for the specified
system class. Use the
class-default
keyword to select all traffic that is currently not matched by classes in the
policy map.

The
class-map-name argument can be a maximum of 40
characters. The name is case sensitive and can only contain alphanumeric
characters, hyphens, and underscores.

Creating a Policy
Map Using a Percentage of the Interface Rate

Procedure

Command or Action

Purpose

Step 1

switch#
configure
terminal

Enters global
configuration mode.

Step 2

switch(config)#
policy-map [type qos] [qos-policy-map-name]

Creates a named
object that represents a set of policies that are applied to a set of traffic
classes. Policy-map names can contain alphabetic, hyphen, or underscore
characters, are case sensitive, and can be up to 40 characters.

Associates a
class map with the policy map and enters configuration mode for the specified
system class. Use the
class-default
keyword to select all traffic that is currently not matched by classes in the
policy map.

The
class-map-name argument can be a maximum of 40
characters. The name is case sensitive and can only contain alphanumeric
characters, hyphens, and underscores.